Content-Security-Policy Header Issue


PHP Example:

header("Content-Security-Policy: default-src *; img-src *; frame-src https:; script-src https: 'self' 'nonce-1234'; style-src https: 'self' 'nonce-1234'");

Test Results

  • ‘unsafe-inline’
    This source doesn’t work anymore. Inline scripts will still be blocked.
  • It seems ‘nonce’ is the best way to solve inline script issue
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src=""></script>
<script nonce="{{ $nonce }}">
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'G-F1234');